Security guidance for early IoT adopters
The Internet of Things (IoT) provides new and enhanced capabilities across diverse industries and enterprise functions, as well as unique security challenges associated with each market segment, use case and vendor community. However, sufficient research into the vulnerabilities associated with the IoT, and best practices for securely developing, deploying, trusting and maintaining IoT components has not yet been conducted.
At the RSA Conference 2015, the Cloud Security Alliance (CSA) unveiled a new guidance report, aimed at helping early adopters understand the security challenges surrounding the IoT, and providing recommended security controls and sample use-cases for organizations implementing IoT capabilities.
These controls have been tailored to IoT-specific characteristics to allow early adopters to mitigate many of the risks associated with this new technology.
“Traditional security mechanisms such as secure software development and security controls engineering, common vulnerability and exploit (CVE) discovery and reporting, vulnerability management, and field upgrade and patching do not exist or are immature in most of the industries taking advantage of IoT platforms,” said Luciano Santos, VP of Research and Member Services for the CSA. “Research is needed to allow organizations to design a trusted IoT ecosystem in their enterprise that securely utilizes the cloud for control and data connectivity. In the absence of this research, organizations will be forced to make substantial architectural decisions without sufficient data to understand the risks and identify appropriate mitigations.”
CSA is supporting the industry by decomposing the common devices types, markets and architectures of the IoT, and subsequently analyzing and recommending appropriate security mitigations across these commonalities. In future research in this area, CSA will associate each category with the appropriate cloud security standards, CCM controls, best practices and relevant governance.
Research will help identify and document critical vulnerabilities associated with introduction of IoT in various enterprise environments and provide best practices for vulnerability mitigation. As part of its ongoing research, CSA will also provide developers with secure development guidance to ensure IoT components are designed securely from the start.
Recommended security controls detailed in the report include:
- Analyze privacy impacts to stakeholders and adopt a privacy-by-design approach to IoT development and deployment.
- Apply a Secure Systems Engineering approach to architecting and deploying a new IoT SoS.
- Implement layered security protections to defend IoT assets.
- Define life-cycle controls for IoT devices.
- Define and implement an authentication/authorization framework for the organization’s IoT deployments.
- Define and implement a logging/audit framework for the organization’s IoT ecosystem.
- Develop safeguards to assure the availability of IoT-based systems and data.
- Information sharing and support of a global approach to combating security threats by sharing threat information with security vendors, industry peers and Cloud Security Alliance.